Search engine redirect virus

I've seen other topics concerning this issue, with Google and other search engines being redirected to whattoseek.net among others. While I can't locate the cause, I have found what it was exploiting in my case, and it was a Java-related addon:

Java Quick Starter

That said, I'd still like to get the virus out of my system. I use Microsoft Security Essentials as my baseline with the occasional backup scan from MalwareBytes, and neither can locate it. MalwareBytes logs always seem to be the first request, so here goes:

It's not really step by step anything. I assume that it wants me to use SpyHunter to find the file locations, then manually delete them? That's what I did, anyway, but it only spotted various cookies that may or may not be tracking me down, and I just killed them all off.

Didn't fix the problem, though. I still get redirects, and now I have to replace all my cookies.

Please try disabling Javascript (as this is what the Google Redirect Virus uses as an exploit) in Firefox by going to Tools > Options > Content and look for the Javascript option, for Internet Explorer, go to Tools > Internet Options > Security > Custom Level, and look for the Scripting option, and click "Disable", after you've done both browsers (if you have both on your system that is), try running TDSS Killer found here: http://support.kaspersky.com/viruse...

Another option to try is changing your DNS Servers, you can do this by following this tutorial:

To configure TCP/IP, follow these steps:

1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections. 2. Right-click the network connection that you want to configure, and then click Properties. 3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties. 4. If you want to obtain DNS server addresses from a DHCP server, click Obtain DNS server address automatically. 5. If you want to manually configure DNS server addresses, click Use the following DNS server addresses, and then type the preferred DNS server and alternate DNS server IP addresses in the Preferred DNS server and Alternate DNS server boxes.

For Preferred DNS server type in without the quotes "208.67.222.222" , and for Alternate DNS server type in without the quotes "208.67.220.220".

Disabling Javascript (and removing Java, which I also did with the intention of re-installing) does not prevent the links from being hijacked, but it DOES prevent the redirect from going any further than the initial whattoseek.net (I haven't spotted the others yet) and has cut way back on the number of redirects.

TDSS Killer was run, but spotted nothing.

Changing DNS settings seems to have obliterated the redirects, but due to how much less common they were after gutting Java and turning off Javascript, it's kind of hard to tell whether this is just random chance. Turning off Javascript disables more than a few things, though, so if the DNS alone should fix the symptoms, I'd rather just use it.

I make fairly heavy use of Google, so if the problem is going to reappear, it'll do so pretty quickly.

Edit: having Javascript enabled with the DNS change remain does allow a redirect..

-- Click on ATF-Cleaner to run it-- Where it says Select Files To Delete, Check the Select All Option-- Click Empty Selected > OK

RebootDownload Ccleaner, Install it, Open it...Under the 'Cleaner' Section select all in the 'Windows' And 'Applications' Tab, Then click on 'Analyze' And then 'Run Cleaner'...Do The Same In The 'Registry' Tab, i.e. 'Scan For Issues' and 'Fix Selected Issues', It will ask you to make a backup, DO IT...Then Click on 'Fix All'...Now Reboot The PC

old boy, I had already used MalwareBytes (there's a log in the first post) and Unhack Me located nothing. The link provided goes to a different, but similar, virus that redirects to different web sites.

Kristain, I executed both of those procedures, and while Firefox seems to be running a bit faster, it still has issues with redirects. They aren't going to the end target with Javascript disabled, but they do redirect to seek.ind.in and whattoseek.net though the other redirect sites haven't shown up yet.

2) Disable any Anti-Virus/Anti-Spyware software currently running to avoid conflicts.

3) Double click on "Gmer.exe", and allow it's .Sys driver to load.

4) Gmer will then open and run a quick scan. please DO NOT USE THE COMPUTER WHILE THE SCAN IS IN PROGRESS.

5) If you receive a warning about Rootkit Activity on your system and are asked to do a full scan click No.

6) Click the Scan button, and if you see a Rootkit Warning window click Ok (it should be the only option in the dialog box).

7) When the scan is finished, please click Save, and save the log to your desktop as Gmer.log

8) Click the Copy button and paste the log into your next reply.

9) Re-enable any Anti-Virus/Anti-Spyware software and any other security software you've disabled (Firewall).

Notes: If Gmer results in a BSOD or crashes please uncheck<b/> "Devices" on the right side of the program before scanning. Also, if you encounter problems while scanning in normal mode, please try scanning in Safe Mode.

Are you still being redirected?.. if so, please run a scan with RootRepeal found here:http://ad13.geekstogo.com/RootRepea... and post a log. Please follow the instructions in this thread before downloading RootRepeal: http://www.bleepingcomputer.com/for... after running/posting a log of RootRepeal please do a scan with Combo Fix, and post a log, and I shall look over it tomorrow. Follow the instructions very carefully.

Another alternative if you're not comfortable using Combo Fix by yourself, as it is a very powerful program, is to post a HijackThis! log, and I too will look over it tomorrow: http://download.cnet.com/Trend-Micr...

You can also try the Kaspersky Online Scanner tool, which won't delete the infection(s), BUT it will show where they could potential be.. You can download this program from here, and please post a log as well if you run this: http://download.cnet.com/Kaspersky-...

Glad I could help!, and please do if it starts again. Looking over your logs, you look clean, but I did find "Viewpoint Media" which, I would get rid of them with Unlocker found here: http://ccollomb.free.fr/unlocker/ It's not spyware, but you don't need it on your system as it's similar to Flash and etc for viewing rich media. But, if it's not causing you any problems you can keep it.

If I get a repeat infection, should I go right to RootRepeat and ComboFix? I know those are using heavy artillery and thus, not the first things to try normally, but in this case it would seem the right course.

The information on Computing.Net is the opinions of its users. Such
opinions may not be accurate and they are to be used at your own risk.
Computing.Net cannot verify the validity of the statements made on this
site. Computing.Net and Compnet Ventures, LLC hereby disclaim all responsibility
and liability for the content of Computing.Net and its accuracy.